Product Security Analyst

What You Will Do

• Evaluate vulnerability reports submitted by security researchers to determine validity, severity, exploitability, and business impact for HackerOne customers using Data-Driven Decision Making and established security frameworks such as CVSS.
• Independently reproduce reported vulnerabilities across web and mobile applications, applying First Principles Problem Solving to validate findings, identify root causes, and clearly communicate impact.
• Collaborate directly with security researchers to gather missing information, clarify technical details, and improve report quality while maintaining clear and professional communication with customers.
• Create concise, technically accurate summaries for validated findings, including reproduction steps, impact analysis, and remediation guidance.
• Demonstrate Change Agility by adapting to evolving customer environments, changing program scopes, emerging attack techniques, and shifting operational priorities.
• Contribute to an AI-First approach by leveraging automation and AI-enabled workflows to improve operational efficiency, report analysis, and vulnerability triage quality.
• Partner cross-functionally with Technical Services teammates and customer-facing teams to ensure timely handling of vulnerabilities and a high-quality customer experience.
• Proactively identify opportunities to improve internal processes, documentation, tooling, and triage workflows to enhance scalability and consistency across the Technical Services organization.

Minimum Qualifications

• 3+ years of hands-on experience performing security testing, vulnerability research, or ethical hacking on web and mobile applications.
• Strong technical understanding of common application security vulnerabilities, including the OWASP Top 10.
• Experience using security testing tools such as Burp Suite and familiarity with vulnerability scoring frameworks including CVSS.
• Excellent written and verbal communication skills in English, including the ability to communicate technical concepts clearly to both technical and non-technical audiences.

Preferred Qualifications

• Experience participating in bug bounty or vulnerability disclosure programs.
• Experience reproducing and validating vulnerabilities submitted by external researchers or customers.
• Familiarity with scripting or automation used in security testing or operational workflows.
• Demonstrated ability to manage competing priorities and maintain operational excellence in a fast-paced, globally distributed environment.

Compensation BandTier A (SF Bay Area) - $135,000 to $155,000

Tier B (all other locations) - $120,000 to $140,000 (+ equity)

#LI-MH1